Beruflich Dokumente
Kultur Dokumente
Objectives
After completing this chapter, you will be able to Understand howl organizations develop their information systems. Identify the key participants in the system development process and understand their roles. Explain the phases in the system development life cycle. Identify the core activities in the information systems development process. Understand other system-building alternatives. Understand ethical and social issues related to information systems Understand information security and control
Contents
Overview of System Development
System Development Information System Planning Establishing Objectives and information requirements for Systems Development Measuring Information System Performance Project Management
44
examples of users include store clerks, sales representatives, accountants, supervisors, managers, executives, and customers. The kinds and types of information that users need often change over time. As a system user in a business, you someday may participate in the modification of an existing system or the development of a new system. Thus, it is important that you understand the system development in business. Systems development is the activity of creating a new business system or modifying an existing business system. It refers to all aspects of the process -from identifying problems to be solved or opportunities to be exploited to the implementation and refinement of the chosen solution. Whatever its scope and objectives, a new information system is an outgrowth of a process of organizational problem solving. A new information system is developed as a solution to some type of problem or set of problems the organization perceives it is facing. The problem may be one where managers and employees realize that the organization is not performing as well as expected, or it may come from the realization that the organization should take advantage of new opportunities to perform more successfully. When information requirements change, the information system must meet the new requirements. In some cases, the current information system is modified; in other cases, an entirely new information system is developed. Understanding information systems development is important to all professionals, not just those in the field of information systems. In today's organizations, managers and employees in all levels and functional areas work together and use business information systems. As a result, users of all types are helping with systems development and, in many cases, leading the way. At some point in your career, you will likely be involved in a systems development project -- as a user, as a manager of a business area or project team, as a member of the information systems department, maybe even as a CIO (Chief Information Officer) or CEO. Understanding and being able to apply systems development life cycle concepts, tools and techniques will help ensure the success of the development projects on which you participate. One important thing to know about information systems development is that an information system is a sociotechnical entity, an arrangement of both technical and social elements. The development of a new information system not only involves hardware, software, data, programmers and communications, but also includes changes in jobs, knowledge, skills, management, policies, processes, and organization. Often new systems mean new ways of doing business and working together. Building a new information system will affect the organization as a whole and change the decision-making process. When we develop a new information system, we are actually changing the organization and business processes. System builders must understand how a system will affect the organization as a whole, focusing particularly on organizational conflict and changes in the locus of decision making. Builders must also consider how the nature of work groups will change under the new system. Systems can be technical successes but organizational failures because of a failure in the social and political process of building the system. Therefore, information systems development has become an essential component of the organizational planning process.
3.1.2
Because an organization's business strategic plan contains both organizational goals and a broad outline of steps required to reach them, the business strategic plan affects the type of system an organization needs. Deciding which new systems to build should be an essential component of the organizational planning process. Organizations need to develop an information systems plan that supports their overall business plan and in which strategic systems are incorporated into top-level planning. The information systems planning refers to the process of the translation of strategic and organizational goals into systems development plan and initiatives (Figure 3-1). For example, part of the information systems plan for a luxury car company might be to build a new product tracking system to meet the organizational goal of improving customer service. Proper information systems planning ensures that specific systems development objectives support organizational goals. One of the primary benefits of information systems planning is that it provides a long-range view of information technology use in the organization. The information systems plan provides guidance on how the information systems infrastructure of the organization should be developed over time. The plan serves as a road map indicating the direction and rationale of systems development. Another benefit of information systems planning is that it ensures better use of information systems resources, including funds, information systems personnel, and time for scheduling specific projects.
45
Figure 3-2 shows the steps of information systems planning. Overall objectives of information systems are usually distilled from the Strategic Plan relevant aspects of the organization's business strategic plan. Information systems projects can be identified either directly from the objectives determined in the first step or may be identified by Develop overall objectives others, such as managers within the various functional areas. Setting priorities and selecting projects typically requires the involvement and approval of senior management. Once specific projects have been selected within the overall context of a strategic plan for the Identify information system projects business and the systems area, an information systems plan can be developed. The plan contains a statement of organizational goals, identifies the project objectives, and specifies how information technology supports the attainment of the organizational goals. When Set priorities and select projects objectives are set, planners consider the resources necessary to complete the projects including equipment (computers, network servers, printers, and other equipment and devices), software, employees (systems analysts, programmers, users and others), expert Develop information systems plan advice (specialists and other consultants), and so on. The information systems plan lays out specific target dates and milestones that can be used later to monitor the plans progress in Analyze resource requirements terms of how many objectives were actually attained in the time frame specified in the plan. The plan also includes the key management decisions concerning hardware acquisition; structure of authority, data, and hardware; telecommunications; and required Set schedules and deadlines organizational change. Organizational changes are usually described, including management and employee training requirements; recruiting efforts; changes in business processes; and changes in authority, structure, or management practice. The manager's toolkit Develop information system in Figure 3-3 gives the guideline for developing an information planning document system plan. As part of translating the corporate strategic plan into the information systems plan, many companies seek systems development Figure 3-2 The steps of information system planning project that will provide a competitive advantage. This usually requires creative and critical analysis. Creative analysis involves the investigation of new approaches to existing problems. By looking at problems in new or different ways and by introducing innovative methods to solve them, many firms have gained a competitive advantage. Typically, these new solutions are inspired by people and things not directly related to the problem. Critical analysis requires unbiased and careful questioning of whether system elements are related in the most effective or efficient ways. It involves considering the establishment of new or different relationships among system elements and perhaps introducing new elements into the system.
46
Managers Toolkit How to Develop an Information Systems Plan A good information systems plan should address the following topic:
1. Purpose of the Plan Overview of plan contents Changes in forms current situation Firms strategic plan Current business organization and future organization Key business processes Management Strategy Strategic Business Plan Current situation Current business organization Changing environments Major Environments Current Systems Major systems supporting business functions and processes Current infrastructure capabilities o Hardware o Software o Database o Telecommunications and Internet Difficulties meeting business requirements Anticipated future demands 4. New Development New system projects o Project descriptions o Business rational New infrastructure capabilities required o Hardware o Software o Database o Telecommunications and Internet Management Strategy Acquisition plans Milestones and timing Organizational realignment Internal reorganization Management controls Major training initiatives Personnel strategy Implementation Plan Anticipated difficulties in implementation Progress reports Budget Requirement Requirements Potential savings Financing Acquisition cycle
2.
5.
3.
6.
7.
These objectives could be accomplished either through automatic stock replenishment via electronic data interchange or through the use of exception reports. Regardless of the particular system development effort, the development process should define a system with specific performance and cost objectives. The success or failure of the systems development effort will be measured against these objectives. Performance objectives measure the extent to which a system performs as desired. Is the system generating the right information for a value-added business process? Is the output generated in a form that is usable and easily understood? Is the system generating output in time to meet organizational goals and operational objectives? Cost objectives attempt to balance the benefits of achieving performance goals with all costs associated with the system. Balancing performance and cost objectives within the overall framework of organizational goals can be challenging. Systems development objectives are important, however, in that they allow an organization to effectively and efficiently allocate resources and measure the success of a systems development effort. In order to develop an effective information systems plan, the organization must have a clear understanding of both its long- and short-term information requirements. Two principal methodologies for establishing the essential information requirements of the organization as a whole are enterprise analysis and critical success factors. Enterprise analysis argues that the firm's information requirements can only be understood by looking at the entire organization in terms of organizational units, functions, processes, and data elements. Enterprise analysis can help identify the key entities and attributes of the organization's data. The central method used in the enterprise analysis approach is to take a large sample of managers and ask them how they use information, where they get the information, what their environments are like, what their objectives are, how they make decisions, and what their data needs are. The results of this large survey of managers are aggregated into subunits, functions, processes, and data matrices. Data elements are organized into logical application groups--groups of data elements that support related sets of organizational processes. The weakness of enterprise analysis is that it produces an enormous amount of data that is expensive to collect and difficult to analyze. Most of the interviews are conducted with senior or middle managers, but there is little effort to collect information from clerical workers
47
and supervisory managers. Moreover, the questions frequently focus not on Efficiency IT Metrics management's critical objectives and where information is needed but rather on The amount of information that can travel through a Throughout what existing information is used. The system at any point in time result is a tendency to automate whatever exists. But in many instances, entirely Transaction The amount of time a system takes to perform a new approaches to how business is transaction Speed conducted are needed, and these needs are not addressed. System The number of hours a system is available for users The strategic analysis or critical sucAvailability cess factors approach argues that an organization's information requirements Web Includes a host of benchmarks such as the number of are determined by a small number of page views, the number of unique visitors, and the Traffic average time spent viewing a Web page critical success factors (CSFs) of managers. If these goals can be attained, the Response The time it takes to respond to user interactions such as firm's or organization's success is assured. a mouse click Time CSFs are shaped by the industry, the firm, then manager, and the broader environInformation The extent to which a system generates the correct ment. An important premise of the results when executing the same transaction numerous Accuracy strategic analysis approach is that there times are a small number of objectives that managers can easily identify and on which Effectiveness IT Metrics information systems can focus. The strength of the CSF method is that it The ease with which people perform transactions and/or produces a smaller data set to analyze Usability find information. A popular usability metric on the Internet than does enterprise analysis. The CSF is degrees of freedom, which measures the number of method takes into account the changing clicks required to find desired information environment with which organizations and managers must deal. This method Customer Measured by such benchmarks as satisfaction surveys, explicitly asks managers to look at the percentage of existing customers retained, and inSatisfaction environment and consider how their creases in revenue dollars per customer. analysis of it shapes their information needs. Unlike enterprise analysis, the CSF Conversion The number of customers an organization touches for method focuses organizational attention the first time and persuades to purchase its products or Rates services. This is a popular metric for evaluating the on how information should be handled. effectiveness of banner, pop-up, and pop-under ads on The method's primary weakness is that the the Internet aggregation process and the analysis of the data are art forms. There is no Such as return on investment, cost-benefit analysis and Financial particularly rigorous way in which break-even analysis individual CSFs can be aggregated into a clear company pattern. Second, there is often confusion among interviewees (and Figure 3-4 Common Types of Efficiency and Effectiveness IT Metrics interviewers) between individual and organizational CSFs. They are not necessarily the same. What can be critical to a manager may not be important for the organization. Moreover, this method is clearly biased toward top managers because they are generally the only ones interviewed.
48
and/or Do the right things. Doing things right addresses efficiency getting the most from each resource. Doing the right things addresses effectiveness setting the right goals and objectives and ensuring they are accomplished. Efficiency focuses on the extent to which an organization is using its resources in an optimal way; while effectiveness focuses on how well an organization is achieving its goals and objectives. The twoefficiency and effectivenessare definitely interrelated. However, success in one area does not necessarily imply success in the other. Regardless of what is measured, how it is measured, and whether it is for the sake of efficiency or effectiveness, there must be benchmarks, or baseline values the system seeks to attain. Benchmarking is a process of continuously measuring system results, comparing those results to optimal system performance, and identifying steps and procedures to improve system performance. Efficiency IT metrics focus on the technology itself. Effectiveness IT metrics are determined according to an organizations goals, strategies, and objectives. Figure 3-4 highlights the most common types of efficiency and effectiveness IT metrics.
When these items are identified, the project leader usually records them in a project plan. A popular tool used to plan and schedule the time relationships among project activities is a Gantt chart (Figure 3-5). A Gantt chart, developed by Henry L. Gantt, is a bar chart that uses horizontal bars to show project phases or activities. The left side, or vertical axis, displays the list of required activities. A horizontal axis across the top or bottom of the chart represents time. Another tool used for planning and scheduling time is called a PERT chart, short for Program Evaluation and Review Technique chart. Developed by the U.S. Department of Defense, a PERT chart analyzes the time required to
49
complete a task and identifies the minimum time required for an entire project (see Figure 3-6). PERT chats, sometimes called network diagrams, can be more complicated to create than Gantt charts for planning and scheduling large, complex projects. After a project begins, the project leader monitors and controls the project. Some activities take less time than originally planned. Others take longer. The project leader may realize that an activity is taking excessive time or that scope creep has occurred. Scope creep occurs when one activity has led to another that was not originally planned; thus, the scope of the project now has grown. Project leaders should have good change management skills so they can recognize when a change in the project has occurred, take actions to react the change, and plan for opportunities because of the change. For example, the project leader may recognize the team will not be able to meet the original deadline of the project due to scope creep. Thus, the project leader may extend the deadline or may reduce the scope of the system development. If the latter occurs, the users will receive a less comprehensive system at the original deadline. In either case, the project leader revises the first project plan and presents the new plan to users for approval. It is crucial that everyone is aware of and agrees on any changes made to the project plan.
One aspect of managing projects is to ensure that everyone submits deliverables on time and according to plan. A deliverable is any tangible item such as a chart, diagram, report, or program file. Project leaders can use project management software such as Microsoft Project (Figure 3-7) to assist them in planning, scheduling, and controlling development projects. Companies typically are presented with many different projects for solving problems and improving performance. There are far more ideas for system projects than there are resources. The company should select the projects that promise the greatest benefit to the business. In order to identify the information systems projects that will deliver the most business value, you will need to identify their costs and benefits and how they relate to the firms business strategy and information system plan. Some systems development projects are more likely to run into problems or to suffer delays because they carry a much higher level of risk than others. The level of project risk is influenced by project size, project structure and the level of technical expertise of the information systems staff and project team. Dealing with the project risks requires an understanding of the implementation process and change management. A broader definition of implementation refers to all the organization
50
activities working toward the adoption and management of an innovation, such as a new information system. Successful implementation requires a high level of user involvement in a project and management support. As globalization proceeds, companies will be building many more new systems that are global in scale, spanning many different units in many different countries. The project management challenges for global systems are similar to those for domestic systems, but they are complicated by the international environment. User information requirements, business processes, and work cultures differ from country to country. Developing a new information system solution is not merely a matter of installing hardware and software. The business must also deal with the organizational changes that the new solution will bring aboutnew information, new business processes, and perhaps new reporting relationships and decision-making power. A very well-designed solution may not work unless it is introduced to the organization very carefully. The process of planning change in an organization so that it is implemented in an orderly and effective manner is critical to the success or failure of information system solutions.
3.2
Effective system development requires a team effort. For each system development project, the organization usually establishes a project team to work on the project from beginning to end. The team usually consists of stakeholders, user, managers, systems development specialists and various support personnel (Figure 3-8). The development team is responsible for determining the objectives of the information system and delivering a system that meets these objectives to the organization. System
Installs and maintains networks; installs and monitors communications equipment and software
Administers and controls an organizations resources; works with system administrator and with application development teams; assists systems analysts and programmers in developing or modifying applications that use the companys database
Management
Interacts with the information system or uses the information it generates; assists with defining system requirements
Vendors
Responsible for security of an organizations systems, data and information
Users
System analyst
Security specialist
Develop and maintains an organizations Web site; create or helps users create Web pages
Converts the system design into the appropriate programming language and tests finished programs; installs and maintains operating system software and provides technical support to the programmers staff
51
development should involve representatives from each department in which the proposed system will be used. This includes both nontechnical users and IT professionals. Although the roles and responsibilities of members of the system development team may change from company to company, this section presents general descriptions of tasks for various team members. Stakeholders are individuals who, either themselves or through the area of the organization they represent, ultimately benefit from the systems development project. Managers who have high visibility roles as system sponsors or champions are key stakeholders in many strategically important systems because they work toward the systems success and ultimately receive some of the credit or blame. Other stakeholders may be affected less directly if a system shifts the balance of power in an organization or works contrary to their personal goals. Information systems that create new communication patterns are likely to have a wide range of stakeholders. Information system staff members are important stakeholders of most information systems because they are responsible for system operation and enhancement. As professionals in the field, they have a deeper understanding than most business professionals about what it takes to build and maintain solid information systems. They also have a clearer view of technical relationships between different systems and of policies and practices related to systems. During the course of the system development project, the systems analyst meets and works with a variety of people. A systems analyst is a professional who specializes in analyzing and designing business systems and is responsible for designing and developing an information system for his/her company. The systems analyst is the users' primary contact person. Depending on the size of the organization, the tasks performed by the systems analyst may vary. Smaller companies may have one system analyst or even one person who assumes the roles of both system analyst and programmer. Larger companies often have multiple systems analysts. System analysts are the liaison between the users and the IT professionals. They convert user requests into technical specifications. Thus, systems analysts must have superior technical skills. They also must be familiar with business operations, be able to solve problems, have the ability to introduce and support change, and posses excellent communications and interpersonal skills. System analysts prepare many reports, drawings, and diagrams. They discuss various aspects of the development project with users, management, other analysts, database analysts, database administrators, network administrators, the webmaster, programmers, vendors, and steering committee. Systems analyst is one of the most demanding positions in the country. Typically, systems analysts are more involved in design issues than in day-to-day programming. The minimum educational requirement is a bachelor's degree, but many companies opt for a master's degree. Salaries are excellent in this demanding occupation. A successful systems analyst is willing to embrace new technologies and is open to continued learning. Growing in demand are skills for the systems analyst that include e-business and enterprise-wide networking. The steering committee is a decision-making body in an organization. The goal of a steering committee is to get an organizations leaders, who have different interests and agendas, to share the responsibilities and risks that come with aligning information systems initiatives with broader business aims. Many organizations utilize a steering committee for some aspect of their information systems project management. A software programmer is a professional who uses a computer programming language, such as C++, C#, Java, Perl, PHP, and Visual Basic, to write the instructions necessary to direct the computer to process data into information. Programmers are responsible for developing computer programs to satisfy user requirements. They take the plans from the systems analyst and build the necessary software. Users are individuals who will interact with the system regularly. They can be employees, managers, customers, or suppliers. For large-scale systems development projects, where the investment in and value of a system can be quite high, is common to have senior-level managers, including the company president and functional vice presidents, be part of the development team. Since user information requirements drive the entire system-developing effort, user must have sufficient control over the design process to ensure that the system reflects their business priorities and information needs. The nature and level of user participation in systems development vary from system to system. There is more need for user involvement in systems with requirements that elaborate, complex, or vaguely defined than in those with simple or straightforward requirements. The other support personnel on the development team are mostly technical specialists. The network specialists are responsible for installing and maintaining local networks; the database specialists assist systems analysts and programmers in developing or modifying applications that use the companys database; the database administrators administer and control an organizations data and information resources; the data warehousing specialists develop and design enterprise-wide applications for data mining; the data communications specialists evaluate, install, and monitor data communications equipment and software and is responsible for connections to the Internet and other wide area networks; and the Webmasters create and maintain an organizations Web site. One or more of these roles may be outsourced to other companies or consultants. Depending on the magnitude of the systems development project and the number of information systems development specialists on the team, the team may also include one or more IT managers. The composition of a development team may vary over time and from project to project. For small businesses, the development team may consist of a system analyst and the business owner as the primary stakeholder. For large organizations, formal information systems development team can include hundreds of people involved in a variety of systems development activities. Every development team should have a team leader,
52
who is responsible for managing and controlling the budget and schedule of the project. The system analyst may or may not be selected as the project leader of the project.
3.3
As shown in Figure 3-9, each phase in the system development cycle consists of a series of activities, and the phases form a loop. Information systems development is an ongoing process for an organization. The phases in the SDLC form a loop, because when the information system requires changing, which may happen for a variety of reasons such as information requirements of users has changed or hardware and software become obsolete, the planning phases for a new or modified system begins and the system development life cycle starts again. The goal of the SDLC is to keep the project under control and assure that the information system developed satisfies the requirements. In theory, the five phases in the system development cycle often appear sequentially, as shown in Figure 3-9. In reality, activities within adjacent phases often interact with one another--making the system development cycle a dynamic iterative process. Members of the system development team follow established guidelines during the entire system development cycle.
1. Planning
Review project requests Prioritize project requests Allocate resources Form project development team
4. Implementation
Develop programs, if necessary Install and test new system Train users Convert to new system
3. Design
Acquire hardware and software, if necessary Develop details of system
53
They also interact with a variety of IT professionals and others during the system development cycle. In addition, they perform several ongoing activities during all five phases of the system development cycle. The following sections discuss each of these phases.
System Functionality
Digital catalog Product database
Information Requirements
Dynamic text and graphics catalog Product description, stocking numbers, inventory levels Site log for every customer visit; data mining capability to identify common customer paths and appropriate responses Secure credit card clearing; multiple options
Execute a transaction payment Accumulate customer information Provide after-sale customer support Coordinate marketing/advertising
Customer database
Name, address, phone, and e-mail; online customer registration Customer ID, product, date, shipping date, payment Site behavior log of prospects and customers linked to e-mail and banner ad campaigns
Sales database
Ad server, e-mail server, ad banner manager, campaign manager Site tracking and reporting system
Number of unique visitors, pages visited, products purchased, identified by marketing campaign Product and inventory levels, supplier ID and contact, order quantity data by product
Figure 3-10 Business objectives, system functionality, and information requirements for a typical e-commerce system
54
few will begin their system development cycle immediately. Others will have to wait for additional funds or resources to become available.
55
In some cases, the project team may recommend not to continue the project. In other words, the team considers the project infeasible. If the steering committee agrees, the project ends at this point. If the project team recommends continuing and the steering committee approves this recommendation, however, then detailed analysis begins. Detailed Analysis The detailed analysis defines the specific information requirements that must be met by the system solution selected and develops a detailed description of the functions that the new system must perform. This analysis involves three major activities: (1) study the existing system in depth so you thoroughly understand the current operations, uncover all possible problems and enhancements, and determine the causes and effects of these problems or enhancements; (2) determine the user's requirements for the proposed system, which includes who needs what information, and when, where, and how the information is needed; and (3) present alternative solutions to Figure 3-11 The ERD shows the relationships among entities in a system the problem or enhancement and then recommend a proposed solution. Perhaps the most difficult task of the detailed analysis is to define the specific information requirements that must be met by the system. Faulty requirement analysis is a leading cause of system failure and high system development costs. An important benefit from studying the existing system and determining user requirements is that these activities build valuable relationships among the systems analyst and users. The systems analyst has much more credibility with users if he/she understands how the users currently perform their job responsibilities and respects their concerns. During the detailed analysis, systems analysts use all available data and information gathering techniques. They review documentation, observe employees and machines, distribute surveys, interview employees, and do research. While studying the current system and identifying user requirements, the systems analyst collects a great deal of data and information. A major task for the systems analyst is to document these findings in a way that can be understood by everyone. Both users and IT professionals refer to this documentation. An important benefit from these activities is that they build valuable relationships among the system analysts and users. Most system analysts use either a process modeling or object modeling approach to analysis and design. Process modeling is an analysis and design technique that describes processes that transform inputs into outputs. Tools that a systems analyst uses for process modeling include entity-relationship diagrams, data flow diagrams, and the project dictionary. An entity-relationship diagram (ERD) is a tool that graphically shows the connections among entities in a system. An entity is an object in the system that has data. Each relationship describes a connection between two entities. For example, in the ERD shown in Figure 3-11, a vendor supplies one or more computers. A customer may or may not use one of these computers. A customer may or may not place an order. Some customers may place multiple orders. Each order contains one or more items from the menu. It is important that the systems analyst reviews the ERD with the user. After users approve the ERD, the systems analyst identifies data items associated with an entity. For example, the VENDOR entity might have these data items: Vendor Number, Vendor Name, Address, City, State, Postal Code, Telephone Number, and E-mail Address. A data flow diagram (DFD) is a tool that graphically shows the flow of data in a system. The key elements of a DFD are the data flows, the processes, the data stores, and the sources (Figure 3-12). A data flow, indicated by a line with an arrow, shows the input or output of data or information into or out from a process. A Figure 3-12 The DFD shows the flow of data in a system process, which is drawn as a circle, transforms
56
an input data flow into an output data flow. A data store, shown as a rectangle with no sides, is a holding place for data and information. A source, drawn as a square, identifies an entity outside the scope of the system. Source sends data into the system or receives information from the system. Like ERDs, systems analysts often use EFDs to review processes with users. System analysts prepare DFDs on a level-bylevel basis. The top level, known as a context diagram, identifies only the major process. Lower-level add detail and definition to the higher levels, similar to zooming in on a computer screen. The lower levels contain sub-processes.
The project dictionary, sometimes called the repository, contains all the documentation and deliverables of a project. The project dictionary helps everyone keep track of the huge amount of details in a system. The dictionary explains every item found on DFDs an ERDs. Each process, data store, data flow, and source on every DFD has an entry in the project dictionary. Every entity on the ERD has an entry in the project dictionary. The dictionary also contains an entry for each data item associated with the entities. The number of entries added to the dictionary at this point can be enormous. As you might imagine, this activity requires a huge amount of time. The system analyst uses a variety of techniques to enter these items in the project dictionary. Some of these include
structured English, decision tables, decision trees, and the data dictionary. Structured English is a style of writing that describes the steps in a process. Many systems analysts use structured English to explain the details of a process. Figure 3-13 shows an example of structured English that describes the process of uploading vendor information. Sometimes, a process consists of many conditions or rules. In this case, the systems analyst may use a decision table or decision tree instead of structured English. A decision table is a table that lists a variety of conditions and the actions that correspond to each condition. A decision tree also shows conditions and actions, but it shows them graphically. Figure 3-14 and 3-15 show a decision table and decision tree for the same process: determining whether a vendor is approved. Each data item has an entry in the data dictionary section of the project dictionary (Figure 3-16). The data dictionary stores the data item's name, description, and other details about each data item. The systems analyst creates the data dictionary during detailed analysis. In later phases of the system development cycle, the systems analyst refers to and updates the data dictionary. Another approach systems analysts can use is the object modeling, sometimes called objectoriented (OO) analysis and design, which combines the data with the processes that act on that data into a single unit, called an object. An object is an item that can contain both data and the procedures that read or manipulate that data. For example, a Customer object might contain Figure 3-15 An example of decision tree data about a customer (Customer ID, First Name, Last Name, Address, and so on) and instructions
57
about how to print a customer's record or the formula required to compute a customer's amount due. Each data element is called an attribute or property. The procedure in the object, called an operation or method, contains activities that read and manipulate the data. Object modeling can use the same tools as those used in process modeling. Many systems analysts, however, choose to use tools defined in the UML (Unified Modeling Language). Although used in all types of business modeling, the UML has been adopted as a standard notation for object modeling and development. The UML is a graphical tool that enables analysts to document a system. It consists of many interrelated diagrams. Each diagram conveys a view of the systems. The latest UML tool includes 13 different diagrams to assist the analyst in modeling the system. Two of the more common diagrams are the use case diagram and class diagram. Figure 3-16 An example of data dictionary A use case diagram graphically shows how actors (a user or other entity) interact with the information system (Figure 3-17). The function that the actor can perform is called the use case. A class diagram graphically shows classes and subclasses in a system (Figure 3-18). On a class diagram, objects are grouped into classes. Each class can have one or more lower levels called subclasses. Each subclass inherits the methods and attributes of the objects in its higherlevel class. Every object in a class shares methods and attributes that are part of its higher-level class. This concept of lower levels inheriting methods and attributes of higher levels is called inheritance.
The System Proposal After having studied the current system and determined all user requirements, the systems analyst communicates possible solutions for the project in a system proposal. The purpose of the system proposal is to assess the feasibility of each alternative solution and then recommend the most feasible solution for the project. The systems analyst presents the system proposal to the steering committee. If the steering committee approves a solution, the project enters the design phase. When the steering committee discusses the system proposal and decides which alternative to pursue, it often is deciding whether to buy packaged software from an outside source, build its own custom software, or outsource some or all of its IT needs to an outside firm. Packaged software is mass-produced, copyrighted, prewritten software available for purchase. Vendors offer two types of packaged software: horizontal and vertical. Horizontal market software meets the
58
needs of many different types of companies. If a company has a unique way of accomplishing activities, then it also ma require vertical market software. Vertical market software specifically is designed for a particular business or industry. Horizontal market software tends to be more widely available and less expensive than vertical market software. You can search for vertical and horizontal market software on the Web. Instead of buying packaged software, some companies write their own applications. Application software developed by the user or at the user's request is called custom software. The main advantage of custom software is that it matches the company's requirements exactly. The disadvantages usually are that it is more expensive and takes longer to design and implement than packaged software. Companies can develop custom software in-house using their own IT personnel or outsource it, which means having an outside source develop it for them. Some companies outsource just the software development aspect of their IT operation. Others outsource more or all of their IT operation. Depending on a company's needs, outside firms can handle as much of the IT requirements as desired. Some provide hardware and software. Others provide services such as Web design and
HTTP request
Verify Login
Accept/reject visitor
Catalog Database
Ship Products
Purchase Products
Order Database
T1/Cable/DSL/56 KB modem
IBM eServer xSeries 336 Web server with two Intel Xeon processors and 300 GB storage
Oracle SQL database IBM WebSphere ecommerce suite Ad server Online catalog Mail server
Customer
Internet
59
development, Web hosting, sales, marketing, billing, customer service, and legal assistance. A trend that has caused much controversy relates to companies that outsource to firms located outside their homeland.
60
very important that outputs are identified correctly and that users agree to them. The systems analyst typically develops two types of designs for each input and output: a mockup and a layout chart. A mockup is a sample of the input or output that contains actual data (Figure 3-21). The systems analyst shows mockups to users for their approval. Because users will work with the inputs and outputs of the system, it is crucial to involve users during input and output design. After users approve the mockup, the systems analyst develops a layout chart for the programmer. A layout chart is more technical and contains programming-like notations for the data items (Figure 3-22). Other issues that must be addressed during input and output design include the types of media to use (paper, video, audio); formats (graphical or narrative); and data entry validation techniques, which make sure the entered data is correct. During program design, the systems analyst prepares the program specification package, which identifies the required programs and the relationship among each program, as well as the input, output, and database specifications. Many people should review the detailed design specifications before they are given to the programming team. Reviewers should include users, systems analysts, managers, IT staff, and members of the system development team. One popular review technique is an inspection. An inspection is a formal review of any system development cycle deliverable. A team of four or five people examines the deliverables, such as reports, diagrams, mockups, layout charts, and dictionary entries. The purpose of an inspection is to identify errors in the item being inspected. Any identified errors are summarized in a report so they can be addressed and corrected. One again, the systems analyst reevaluates feasibility to determine if it still beneficial to proceed with the proposed solution. If the steering committee decides the project still is feasible, which usually is the case, the project enters the implementation phase.
61
programming, that system specifications are translated into program code, the actual instructions for the machine. Like the system development life cycle, program development also follows an organized set of activities, called program development life cycle (PDLC). The PDLC follows six steps: (1) analyze the requirements, (2) design the solution, (3) validate the design, (4) implement the design, (5) test the solution, and (6) document the solution. Chapter 14 explains the program development cycle in depth. If new hardware was acquired, the hardware must be installed and tested at this point. Both packaged software and custom software programs have to install on the hardware. It is extremely important that the hardware and software be tested thoroughly. Inadequate system testing will lead to serious problems or even disaster to the organization. Just as you test individual programs, you must test the entire information system to ensure that the programs and hardware operate together to accomplish the desired functions. System tests frequently uncover inconsistencies among programs as well as inconsistencies in the original hardware or software specification. It is better to find errors so you can correct them before putting the system into production; that is delivering it to the users. Testing an information system can be broken down into four types of activities: 1. 2. 3. 4. Unit Testing: test each program separately in the system. The purpose of such testing is to guarantee that programs are error-free. System Testing: test the functioning of the information system as a whole and verify that all programs in the system work together properly. Integration Testing: verify that the information system works well with other systems. Acceptance Testing: provide the final certification that the system is ready to be used in a production setting. System tests are evaluated by users and reviewed by management. When all parties are satisfied that the new system meets their standards, the system is formally accepted for the conversion.
According to a recent study, poor user training is one of the top ten reasons why system development projects fail. For an information system to be effective, users must be trained properly on its functionality. They must be trained on how to use both the hardware and the software. Users must be trained properly on a system's functionality. Training is the process of ensuring that system users know what they need to know about both the work system and the information system. Training shows the users exactly how they will use the new hardware and software in the system. Training may take place as classroom-style lectures or Web-based training that is a self-directed, self-paced online instruction method. The training format depends on user backgrounds and the purpose and features of both work system and the information system. Companies can also provide education to the users. Education is the process of learning new principles or theories that help users understand the system. For example, many companies do their businesses electronically. In this case, employees need to be educated on the concepts and practices of E-commerce. The final implementation activity is to change from the old system to the new system. This process is called conversion. This conversion can take place using one or more of the following conversion strategies (Figure 3-23): Direct cutover strategy: With direct cutover strategy, users stop using the old system and begin using the new system on a certain date. The advantage of this strategy is that it requires no transition costs and is a quick implementation technique. The disadvantage is that it is extremely risk and can disrupt operations seriTime ously if the new system does not work corDirect rectly, since there is no other system to fall Old system New system Conversion back on. Parallel Parallel strategy: Both the old system and its Old system Conversion potential replacement are running together for New system a specified time period until it is assured that the new one functions correctly. The advantage of this strategy is that any problems with Phased the new system can be solved before the old Old system New system Conversion system is terminated. The disadvantage is that it is very expensive since additional staff or resources may be required to run the extra system. Old system New system Phased strategy: This strategy introduces the Pilot new system in stages, either by functions or by Old system New system Conversion organizational units. Each function or organNew system izational unit is converted separately at different times using either a direct cutover or paralFigure 3-23 System conversion strategies lel conversion. This strategy is often used with
62
larger systems that are split into individual sites. Pilot strategy: This strategy introduces the new system to only a limited area of the organization, such as a single department or operating unit. When this pilot version is complete and working smoothly and correctly, it is installed throughout the rest of the organization, using one of the aforementioned conversion strategies.
Figure 3-24 Case tools can assist system developers in their development processes
Graphicsenables the drawing of diagrams. Modelingcreates models of the proposed system. Code Generatorscreate actual computer programs from design specifications.
63
Project Repositorystores diagrams, specifications, descriptions, programs, and any other deliverable generated during the system development cycle. Quality Assuranceanalyzes deliverables, such as graphs and the data dictionary for accuracy. Housekeepingestablishes user accounts and provides backup and recovery functions.
3.4
Systems differ in terms of their size and technological complexity, and in terms of the organizational problems they are meant to solve. Because there are different kinds of systems, a number of methods have been developed to build systems. This sections describes these other alternative methods: prototyping, application software packages, end-user development, JAD/RAD, and outsourcing.
3.4.1 Prototyping
A major problem with the traditional SDLC is that the user does not use the solution until the system is nearly complete. The traditional approach is also inflexible -- changes in user requirements cannot be accommodated during development. One of alternative approaches to system development is the prototyping. Prototyping takes an iterative approach to the systems development process. During each iteration, requirements and alternative solutions to the problem are identified and analyzed, new solutions are designed, and a portion of the system is implemented. Users are then encouraged to try the prototype and provide feedback. The prototype is a working version of an information system or part of the system, but it meant to be only a preliminary model. During the development process, the prototype will be further refined until it conforms precisely to users' requirements. For many applications, a prototype will be extended and enhanced many times before a final design is accepted. Once the design has been finalized, the prototype can be converted to a polished production system. Prototyping is less formal than the development life cycle method. Instead of generating detailed specifications and signoff documents, prototyping quickly generates a working model of a system. Requirements are determined dynamically as the prototype is constructed. Systems analysis, design, and implementation all take place at the same time. The process of building a preliminary design, trying it out, refining it, and trying again has been called an iterative process of systems development because the steps required to build a system can be repeated over and over again. Figure 3-25 shows a model of the prototyping process. Prototyping process consists of the following steps: 1. Determine requirements: The system developer works with users to identify the users' basic information needs. Develop a working prototype: The system developer creates a preliminary model of a major subsystem or a scaled-down version of the entire system. Use the prototype: The developer let users work with the working prototype to determine how well the prototype meets their needs and to make suggestions for improving the prototype. Revise and enhance the prototype: The developer refines the prototype according to the users' requests. After the prototype has been revised, the cycle returns to step 3. The steps 3 and 4 are repeated until the user is satisfied. When no more iteration is required, the approved prototype then becomes an operational system.
Determine requirements
2.
3.
4.
User satisfied?
Yes
Operational system
Prototyping is most useful when there is some uncertainty about requirements or design solutions. Requirements may be difficult to specify in advance or they may change substantially as implementation progresses. This is particularly true of decision-oriented applications, where requirements tend to be very vague. Prototyping is also valuable for the design of the end-user interface of an information system (the part of the system that end users interact with, such as online display and data entry
64
screens, reports, or Web pages). User needs and behaviors are not entirely predictable and are strongly dependent on the context of the situation. Because prototyping encourages intense end-user involvement throughout the systems development process, it is more likely to produce systems that fulfill user requirements. However, rapid prototyping can gloss over essential steps in systems development. If the completed prototype works reasonably well, management may not see the need for reprogramming, redesign, or full documentation and testing to build a polished production system. Some of these hastily constructed systems may not easily accommodate large quantities of data or a large number of users in a production environment.
65
years ago would have taken IS programmers a month to build with third-generation languages. As tools become more powerful and more integrated, it becomes possible to create even more complex systems. Many organizations have reported gains in application development productivity by using end-user computing approach that in a few cases have reached 300 to 500 percent. Allowing users to specify their own business needs improves requirements gathering and often leads to higher level of user involvement and satisfaction with the system. However, end-user computing still cannot replace conventional methods for some business applications because the end users cannot easily handle the complexity of large transactions or applications with extensive procedural logic and updating requirements. The potential problems of end-user development are not always easy to see. Most of them arise from the fact that users generally lack the training an experience of systems analysts and programmers. For instance, systems produced by end users tend to be written for only one person to use. They are oriented to working on stand-alone personal computers. The systems are often customized to fit the needs of the original users. The systems lack security controls and are hard to modify. Other problems stem from the bottom-up approach inherent in end-user development. People in different areas of the company will wind up working on the same problem, when it could have been solved once by IS teams. Data tends to be scattered throughout the company, making it hard to share and wasting space. Not following standards generates incompatibilities among systems, making it difficult to combine systems created by different departments or even by people within the same department. The end-user computing poses organizational risks because it occurs outside of traditional mechanisms for information system management and control. When systems are created rapidly, without a formal development methodology, testing and documentation may be inadequate. Control over data can be in systems outside the traditional information systems department. The last, and possibly most import, complication is that end-user development takes time away from the user's job. Some users spend months creating and modifying systems that might have been created by IS programmers in a fraction of the time. One of the reasons for creating an IS department is to gain efficiency from using specialists. To help organizations maximize the benefits of end-user applications development, management should control the development of end-user applications by requiring cost justification of end-user information system projects and by establishing hardware, software, and quality standards for user-developed applications. Some organizations use information centers to promote standards for hardware and software so that end users could not introduce many disparate and incompatible technologies into the firm. Information centers are special facilities housing hardware, software, ad technical specialists to supply end users with tools, training, and expert advice so they can create information system applications on their won or increase their productivity. The role of information centers is diminishing as end-users become more computer literate, but organizations still need to closely monitor and manage end-user development.
66
period of time. RAD can include the use of visual programming and other tools for building graphical user interfaces, iterative prototyping of key system elements, the automation of program code generation, and close teamwork among end users and information systems specialists. RAD applies the value of teamwork to the developers. Firms are concerned about being the first in the market and feel they need to develop software rapidly. Systems often can be assembled from pre-built components. The process does not have to be sequential, and key parts of development can occur simultaneously. The techniques of using small groups of programmers using advanced tools, collaboration, and intense programming sessions was relatively successful at quickly producing thousands of new applications.
3.4.5 Outsourcing
If a firm does not want to use its internal Mixed Responsibility Completely Outsource resources to build or operate information Build: in-house Build: outsource Host: outsource systems, it can hire an external organization Host: outsource that specializes in providing these services to do the work. The process of turning over Completely In-house Mixed Responsibility an organization's computer center operations, Build: in-house Build: outsource telecommunications networks, or applicaHost: in-house Host: in-house tions development to external vendors is called outsourcing. The application service In-house Outsource providers (ASPs) are one form of outsourcBuilding the System ing. Subscribing companies would use the Figure 3-26 Choices in building and hosting the system software and computer hardware provided by the ASP as the technical platform for their system. In another form of outsourcing, a company would hire an external vendor to design and create the software for its system, but that company would operate the system on its own computer. Figure 3-26 illustrates the alternatives. Outsourcing has become popular because some organizations perceive it as more cost effective than maintaining their own computer center or information systems staff. The provider of outsourcing services benefits from economies of scale (the same knowledge, skills, and capacity can be shared with many different customers) and is likely to charge competitive prices for information systems services. Outsourcing allows a company with fluctuating needs for computer processing to pay for only what it uses rather than to build its own computer center, which would be underutilized when there is no peak load. Some firms outsource because their internal information systems staff cannot keep pace with technological change or innovative business practices or because they want to free up scarce and costly talent for activities with higher payback. Not all organizations benefit from outsourcing, and the disadvantages of outsourcing can create serious problems for organizations if they are not well understood and managed. Many firms underestimate costs for identifying and evaluating vendors of information technology services, for transitioning to a new vendor, and for monitoring vendors to make sure they are fulfilling their contractual obligations. These "hidden costs" can easily undercut anticipated benefits from outsourcing. When a firm allocates the responsibility for developing and operating its information systems to another organization, it can lose control over its information systems function. If the organization lacks the expertise to negotiate a sound contract, the firm's dependency on the vendor could result in high costs or loss of control over technological direction. Firms should be especially cautious when using an outsourcer to develop or to operate applications that give it some type of competitive advantage.
Hosting the System Outsource In-house
3.4.6 Summary
Increasingly, companies are converting at least some portion of their business to run over the Internet, intranets, or extranets. An important trend in systems development is that business applications are been moving to the Internet to support selling products to customers, placing orders with suppliers, and letting customers and/or suppliers access information about production, inventory, orders, or accounts receivable. Internet technology provides a platform for applications that enables companies to extend their transaction processing systems beyond the boundaries of the organization to their customers, suppliers, and partners. This enables companies to conduct business much faster, interact with more people, and try to keep one step ahead of the competition. Building a dynamic core business application that runs over the Web is much more complicated. Such applications must meet special business needs. They must be able to scale up to support highly variable transaction throughput from potentially thousands of users. Ideally, they can scale up instantly when needed. They must be reliable and fault tolerant, providing continuous availability while processing all transactions accurately. They must also integrate with existing infrastructure,
67
Features
Sequential step-by-step
formal process Written specification and approvals limited role of users
Prototyping
Requirements specified
dynamically with experimental system Rapid, informal, and iterative process Users continually interact with the prototype
Rapid and relatively inexpensive Useful when requirements uncertain or when end-user interface is very important Promotes user participation
Design, programming, installation, and maintenance work reduced Can save time and cost when developing common business applications Reduces need for internal information systems resources
May not meet organization's unique requirements May not perform many business functions well Extensive customization raises development costs
End-user computing
User control systemsbuilding Saves development time and cost Reduces application backlog
Can lead to proliferation of uncontrolled information systems and data Systems do not always meet quality assurance standards Loss of control over the information systems function Dependence on the technical direction and prosperity of external vendors
Outsourcing
Can reduce or control costs Can produce systems when internal resources are not available or technically deficient
including customer and order databases, existing applications, and enterprise resource planning systems. Development and maintenance must be quick and easy, as business needs may require changing applications on the fly. In the digital firm environment, organizations need to be able to add, change, and retire their technology capabilities very rapidly. Companies are adopting shorter, more informal development processes for many of their e-commerce and e-business applications, processes that provide fast solutions that do not disrupt their core transaction processing systems and organizational databases. They are relying more heavily on fast-cycle techniques such as JAD, prototypes, and reusable standardized software components that can be assembled into a complete set of services for e-commerce and e-business. In summary, systems development can be a difficult task. Many projects have failed because they cost much more than anticipated or they did not produce useful systems. All development methods introduced in this chapter involve five basic steps: feasibility and planning, systems analysis, design, implementation, and maintenance. Prototyping and end-user development typically focus on the design stage. However, managers need to remember that implementation problems can arise with any new system, regardless of how it was created. The following table compares the advantages and disadvantages of each of the system-building alternatives.
68
Ethics is a concern of humans who have freedom of choice. Ethics is about individual choice: when we faced with alternative courses of action, what is the correct moral choice? Ethical choices are decisions made by individuals who are responsible for the consequences of their actions. Information technologies are filtered through social institutions, organizations, and individuals. Systems do not have impacts by themselves. Whatever information system impact exist are products of institutional, organizational, and individual actions and behaviors. The responsibility for the consequences of technology falls clearly on the institutions, organizations, and individuals who choose to use the technology. Using information technology in a socially responsible manner means that you can and will be held accountable for the consequences of your actions. Intellectual Intangible creative work that is embodied in Technology poses new challenges for our ethicsthe physical form. Property principles and standards that guide our behavior toward other people. Figure 3-28 summaries the concepts, terms, The legal protection afforded an expression of Copyright and ethical issues stemming from advances in technology. an idea, such as a song, video game, and Individuals determine how to use information and how some types of proprietary documents. information affects them. How individuals behave toward each other, how they handle information and technology, Fair Use In certain situations, it is legal to use copyare largely influenced by their ethics. Ethical dilemmas righted material. Doctrine usually arise not in simple, clear-cut situations but out of a clash between competing goals, responsibilities, and Pirated The unauthorized use, duplication, distribuloyalties. Some examples of ethically questionable or tion, or sale of copyrighted software. software unacceptable uses of information technology include: 1. 2. Individuals copy, use, and distribute software Employees search organizational databases for sensitive corporate and personal information
Counterfeit software Software that is manufactured to look like the real thing and sold as such.
69
3. 4. 5. 6.
Organizations collect, buy, and use information without checking the validity or accuracy of the information Individuals create and spread viruses that cause trouble for those using and maintaining IT systems. Individuals hack into computer systems to steal proprietary information Employees destroy or steal proprietary organization information such as schematics, sketches, customer lists, and reports.
Privacy is one of the largest ethical issues organizations. Privacy is the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent. Privacy is related to confidentiality, which is the assurance that messages and information are available only to those who are authorized to view them. Some of the most problematic decisions facing organizations lie in the murky and turbulent waters of privacy. The burden comes from the knowledge that each time employees makes a decision regarding issues of privacy, the outcome could potentially sink the company. Trust between companies, customers, partners, and suppliers is the support structure of e-business. Privacy is one of the main ingredients in trust. Privacy continues to be one of the primary barriers to the growth of e-business. Information has no ethics. Information does not cre how it is used. It will not stop itself from spamming customers, sharing itself if it is sensitive or personal, or revealing details to third parties. Information cannot delete or preserve itself. Therefore, it falls on the shoulders of those who own the information to develop ethical guidelines on how to manage the information. Treating sensitive corporate information as a valuable resource is good management. Building a corporate culture based on ethical principles that employees can understand and implement is responsible management. Organizations should develop written policies establishing employee guidelines, personnel procedures, and organizational rules for information. These policies set employee expectations about the organizations practices and standards and protect the organization from misuse of computer systems and IT resources. These policies address the ethical use of computers and Internet usage in the business environment. These policies typically embody the following: 1. 2. 3. 4. 5. 6. Ethical computer use policy: General principles to guide computer user behavior. Information privacy policy: General principles regarding information privacy. Acceptable use policy: A policy that a user must agree to follow in order to be provided access to a network or to the Internet. E-mail privacy policy: Details on the extent to which e-mail messages may be read by others. Internet use policy: General principles to guide the proper use of the Internet. Anti-spam policy: the policy states that e-mail users will not send unsolicited e-mails (or spam).
70
1.
2.
3.
Authentication and authorization: Authentication is a method for confirming users identities. Once a system determines the authentication of a user, it can then determine the access privileges (or authorization) for that user. Authorization is the process of giving someone permission to do or have something. Authentication and authorization techniques include (1) something the user knows such as a user ID and password, (2) something the user has such as a smart card or token, and (3) something that is part of the user such as a fingerprint or voice signature. Identity theft is the forging of someones identity for the purpose of fraud. The fraud is often financial fraud, to apply for and use credit cards in the victims name or to apply for a loan. Phishing is a common way to steal identities online. Phishing is a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail. Prevention and resistance: Prevention and resistance technologies stop intruders from accessing intellectual capital. One of the most common defenses for preventing a security breach is a firewall. A firewall is hardware and/or software that guard a private network by analyzing the information leaving and entering the network. Firewalls examine each message that wants entrance to the network. Unless the message has the correct markings, the firewall prevents it from entering the network. Content filtering occurs when organizations use software that filters content to prevent the transmission of unauthorized information. Organizations can use content filtering technologies to filter e-mail and prevent e-mails containing sensitive information from transmitting, whether the transmission was malicious or accidental. Encryption scrambles information into an alternative form that requires a key or password to decrypt the information. If there is an information security breach and the information was encrypted, the person stealing the information will be unable to read it. Detection and response: If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage. The most common type of defense is antivirus software.
Implementing information security lines of defense through people first and through technology second is the best way for an organization to protect its vital intellectual capital. The first line of defense is securing intellectual capital by creating an information security plan detailing the various information security policies. The second line of defense is investing in technology to help secure information through authentication and authorization, prevention and resistance, and detection and response.
Database Hardware Operating Systems Application Software Database Theft of data Copying data Alteration of data Hardware failure Software failure
Hacking Viruses and worms Theft and fraud Vandalism Denial of service attacks
71
with demands for timely delivery to markets, have contributed to an increase in software flaws or vulnerabilities. A major problem with software is the presence of hidden hugs or program code defects. Studies have shown that it is virtually impossible to eliminate all bugs from large programs. Zero defects cannot be achieved in larger programs. Complete testing simply is not possible. Fully testing programs that contain thousands of choices and millions of paths would require thousands of years. Flaws in commercial software not only impede performance but also create security vulnerabilities that open networks to intruders. Each year, security firms identify about 5,000 software vulnerabilities in Internet and PC software. To correct software flaws once they are identified, the software vendor creates small pieces of software called patches to repair the flaws without disturbing the proper operation. It is up to users of the software to track these vulnerabilities, test, and apply all patches. This process is called patch management. Even with the best security tools, your information system wont be reliable and secure unless you know how and where to deploy them. You will need to know where your company is at risk and what controls you must have in place to protect your information systems. Before your company commits resources to security and information systems controls, it must know which assets require protection and the extent to which these assets are vulnerable. A risk assessment helps answer these questions and determine the most cost-effective set of controls for protecting assets. A risk assessment determines the level of risk to the firm if a specific activity or process is not properly controlled. Business managers working with information system specialists can determine the value of information assets, points of vulnerability, the likely frequency of a problem, and the potential for damage. Once the risks have been assessed, system builders will concentrate on the control points with the greatest vulnerability and potential for loss. Once you have identified the main risks to your systems, your company will need to develop a security policy for protecting the companys assets. A security policy consists of statements ranking information risks, identifying acceptable security goals, and identifying mechanisms for achieving these goals. The security policy drives policies determining acceptable use of the firms information resources and which members of the company have access to its information assets. Information systems controls consist of both general controls and application controls. General controls govern the design, security, and use of computer programs and the security of data files in general throughout the organizations information technology infrastructure. One the whole, general controls apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that create an overall control environment. General controls include the following controls: Software controls: Monitor the use of system software and prevent unauthorized access of software programs, system software, and computer programs. Hardware controls: Ensure that computer hardware is physical secure, and check for equipment malfunction. Organizations that are critically dependent on their computers also must make provisions for backup or continued operation to maintain constant service. Computer operations controls: Oversee the work of the computer department to ensure that programmed procedures are consistently and correctly applied to the storage and processing of data. Data security controls: Ensure that valuable business data files on either disk or tape are not subject to unauthorized access, change, or destruction while they are in use or in storage. Implementation controls: Audit the systems development process at various points to ensure that the process is properly controlled and managed. Administrative controls: Formalized standards, rules, procedures, and control disciplines to ensure that the organizations general and application controls are properly executed and enforced.
Application controls are specific controls unique to each computerized application, such as payroll or order processing. They ensure that only authorized data are completely and accurately processed by that application. Application controls can be classified as (1) input controls, which check data for accuracy and completeness when they enter the system; (2) processing controls, which establish that data are complete and accurate during updating, and (3) output controls, which ensure that the results of computer processing are accurate, complete, and properly distributed. A business needs to plan for events, such as power outages, floods, earthquakes, or terrorist attacks that will prevent your information systems and your business form operating. Disaster recovery planning devises plans for the restoration of computing and communications services after they have been disrupted. Disaster recovery plans focus primarily on the technical issues involved in keeping systems up and running, such as which files to back up and the maintenance of backup computer systems or disaster recovery services. Business continuity planning focuses on how the company can restore business operations after a disaster strikes. The business continuity plan identifies critical business processes and determines action plans for handling mission-critical functions if systems go down. Business managers and information technology specialists need to work together on both types of plans to determine which systems and business processes are most critical to the company.
72